[Swan-dev] Integrating Libreswan for IKEv2 and IPsec

Mon May 18 17:43:18 UTC 2020

Hi Paul,

I have some general security-policies that just allow the traffic to pass
through the system (i.e., no IPsec is applied to those traffic). Say for
example, allow all traffic of of certain source and destination IP and
source and destination port as 5060 (SIP traffic) not processed by IPsec.

In that case, how do I convey this security-policy behavior to Libreswan
via the script? What parameters need to be configured? Should I create a
separate connection section?

Thanks,
Balaji

On Sat, May 16, 2020 at 1:38 PM Balaji Thoguluva <tbbalaji at gmail.com> wrote:

> Thanks Paul for the information.
>
> On Mon, May 11, 2020 at 1:29 PM Paul Wouters <paul at nohats.ca> wrote:
>
>> On Mon, 11 May 2020, Balaji Thoguluva wrote:
>>
>> > I am a newbie to Libreswan. I am working on a Linux based application
>> project where we need IKEv2 and IPsec stack to support sending traffic over
>> IKEv2/IPsec established tunnel.
>> >
>> > Do you have some guidelines or detailed steps on how to
>> > 1. Initialize and integrate the Libreswan stack with the application
>> (user-space of Linux)
>>
>> What do you mean with "libreswan stack"?
>>
>> There are two ways to initiate tunnels. One is packet triggered, and one
>> is command triggered. The packet trigger works if your conncetion has
>> been loaded using the auto=start keyword in the connection configuration
>> file (the "conn" section). To bring defined connections in connection
>> files up using a command, you can use the "ipsec auto --up" and "ipsec
>> auto --down" commands. A more low level command is "ipsec whack", which
>> is basically an (undocumented internal only) API using a socket in
>> /run/pluto/pluto.ctl with the message format defined in whack.h
>>
>> > 2. any documents on Libreswan API's and how to trigger IKEv2
>> negotiation from the application via Libreswan, how to install SA's and
>> SPD's via Libreswan to Linux etc.
>>
>> If you can do it packet triggered, that is the best way. It requires no
>> modification of your application. If you want to specifically trigger
>> it, and the connections are fairly static with respect to configuration,
>> use the ipsec auto command. If you are looking at large scale mesh
>> dpeloyment, look at "opportunistic IPsec".
>>
>> You should not need to install IPsec SA's or IPsec SPD's in the kernel
>> manually. All of that is handled by libreswan's IKE daemon pluto.
>>
>> See further:
>>
>> https://libreswan.org/wiki/Configuration_examples
>>
>> https://libreswan.org/man/
>>
>> You need to decide what to use for authentication, PSK or raw public
>> keys or certificates. Depending on that choice, you might need to
>> look into the integration of libreswan with NSS for certificate
>> handling: https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan
>>
>> Opportunistic IPsec for enterprise mesh:
>> https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec
>>
>> To integrate tunnel status in your application, you can use "ipsec
>> trafficstatus"
>>
>> Paul
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200518/e798986b/attachment.html>